What is the CVSS score of CVE-2024-46506?

CVE-2024-46506 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 91.5%.

Which versions of PHP are affected by CVE-2024-46506?

Organizations using NetAlertX 23.01.14 through 24.x before 24.10.12 face critical risk from CVE-2024-46506, a missing authentication vulnerability rated CVSS 10.0.

Is there a public PoC exploit available for CVE-2024-46506?

Yes, a public proof-of-concept exploit is available for CVE-2024-46506. Prioritise patching immediately. EPSS: 91.5%.

How to fix or mitigate CVE-2024-46506?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.

PHP CVE-2024-46506

CRITICAL

Missing Authentication for Critical Function (CWE-306)

2025-05-13 cve@mitre.org

PHP Authentication Bypass Command Injection Netalertx

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:41 vuln.today

PoC Detected

Jun 17, 2025 - 19:39 vuln.today

Public exploit code

CVE Published

May 13, 2025 - 16:15 nvd

CRITICAL 10.0

DescriptionNVD

NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.

AnalysisAI

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection through the settings update API. The savesettings function lacks authentication, enabling attackers to modify arbitrary configuration values and inject OS commands that execute on the host system.

Technical ContextAI

The settings.php endpoint exposes a savesettings function without authentication checks. Certain configuration values are later passed to system shell commands during NetAlertX's scan operations. By injecting shell metacharacters into these configuration values, an attacker achieves arbitrary command execution with the privileges of the NetAlertX process (often root on network monitoring appliances).

RemediationAI

Update to NetAlertX 24.10.12 or later. Never expose NetAlertX to the internet. Add authentication to the web interface using a reverse proxy. Run NetAlertX as a non-root user with minimal required capabilities.

CVE-2024-46506 vulnerability details – vuln.today

Back

PHP CVE-2024-46506

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code